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METHOD AND DEVICE FOR CONTROLLING 



DISTRIBUTION AND USE OF DIGITAL WORKS 



BACKGROUND OF THE INVENTION 
Field Of The Invention 

[0001] The present invention relates to a method and device for 
controlling distribution and use of a digital work. Furthermore, 
5 the present invention relates to a record carrier for storing the 
digital work. 

[0002] A fundamental issue facing the publishing and information 
industries as they consider electronic publishing is how to prevent 
unauthorised unauthorized and unaccounted distribution ei — and usage 

10 of electronically published materials. Electronically published 
materials are typically distributed in a digital form and created 
on a computer-based system having the capability to recreate the 
materials. Audio and video recordings, software, books and 
multimedia works are all being electronically published. Royalties 

15 are paid for each accounted for delivery, such that any unaccounted 
distribution results in an unpaid royalty. 

[0003] The transmission of digital works over networkSj_ such as 
the widely used Internet^ is nowadays usual practice. The Internet 
is a widespread network facility by which computer users in many 
20 universities, corporations and government entities communicate and 
trade ideas and information. Thus, it would be desirable to utilise 



PHNL000448-SS-RED-081205 



1 



PHNL 000448 

utilize such networks for distribution of digital works without the 
fear of wide -spread unauthorized copying. 

[0004] The apparent conversions between consumer appliances and 
computers, increasing network and modem speeds, the declining costs 
5 of computer power and band- widths, and the increasing capacity of 
optical media will combine to create a world of hybrid business 
models in which digital contents of all kinds may be distributed on 
optical media played on at least occasionally connected appliances 
and/or computers, in which the one-time purchase models common in 

10 music CDs and initial DVD (digital video disc) movie offerings are 
augmented by other models, for example, lease, pay-per-view, and 
rent to own, to name just a few. Consumers may be offered a choice 
among these and other models from the same or different 
distributers and/or other providers. Payment for use may happen 

15 over a network and/or other communication channels to some payment 
settlement service. Consumer usage and ordered information may flow 
back to creators, distributers, and/or other participants. The 
elementary copy protection technologies for recordable optical 
discs now being introduced cannot support these and other 

20 sophisticated models. 

Description Of The Related Art 

[0005] Document US A 5 6 29 D 8 0 U.S. Patent 5.629.980 discloses a 
method and device for controlling distribution and use of a digital 
25 work as define in the preamble of claims 1 and 13 therein , wherein 
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a digital or usage right is acquired together with the purchase. 
This usage right limits how a music track purchased on the 
Internet, downloaded, and stored in scrambled form on a recordable 
optical disc can be used. These digital rights are also called 
5 usage rules or usage rights. For example, the buyer may be allowed 
to make three copies for a personal use, a fourth copy will be 
refused. Alternatively, the buyer may be allowed to play a specific 
track four times, whereas the optical disc drive will not pla y the 
specific track a fifth time. 
10 [0006] The usage rights are stored preferably on the optical 

disc. In this case, the usage rights travel together with the music 
and the disc will play on all disc players that support this 
feature . 

[0007] An Electronic Music Download (EMD) application used to 
15 download the music track from the Internet has to store several 
pieces of information on the disc, e.— g.j_ the scrambled audio 
track, the key needed to descramble the audio track, and a 
description of the usage rights. Some of the usage rights can be 
decreased (i.— e.j_ consumed) when they are used. The rule "three 
20 copies for personal use", for instance, becomes "two copies for 
personal use" after one copy has been made. The usage rights 
therefore contains counters that can be updated when a usage right 
has been exercised. 

[0008] Any equipment which is arranged to access the downloaded 
25 track should comply with the rules underlying the purchased usage 
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rights. That is, only aut hor i scd aut hor i zed , trusted, playback 
equipment should be able to read the key, and set the usage rights 
or counters. Therefore, a non- compliant application which may copy 
tracks without updating the counter, increment counters without 
5 paying additional fees, or make an identical copy of the disk with 
the same usage rights should be prevented. 

[0009] As regards a bit -by-bit copy operation using a standard 
disc drive, a Unit Disc Identifier (UDI) has been suggested, which 
may be written by the disc manufacturer on the disc in a way that 

10 can be read by the playback equipment, but cannot be modified. If a 
recordable disc has a UDI, this identifier can be combined with or 
incorporated in a scrambling key of the audio track. A bit -by-bit 
copy of the concerned disc onto another record carrier cannot be 
descrambled anymore, since the other record carrier will have a 

15 different UDI, such that the scrambling key cannot be recovered 
anymore . 

[0010] However, a "copy and restore attack" or "replay attack" 
may be used to circumvent the above UDI solution. In this case, a 
standard disc drive is used to determine those bits which have been 

20 changed on the disk when a usage right is consximed. These bits 
typically relate to the counters of the usage rights and are 
therefore copied to another storage medium. Then, the usage right 
is consumed, e.— g.^ by making copies, until a copy- counter has 
reached zero and no further copies are allowed. The determined and 

25 stored bits are restored from the storage medium back onto the 
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disc. Now, the disc is in a state which pretends that the usage 
rights have not been consvinied or exercised, such that the user may 
continue making copies. In this case, the UDI-dependent scrambling 
key has no influence on the copy operation, since the disc has not 
5 been changed. 

[0011] Furthermore , document International Patent Application 
No. WO-A-97/43761 , corresponding to U.S. Patents 5,943,422 and 
6, 157, 721, discloses a rights management arrangement for storage 
media such as optical digital video discs, wherein a secure 

10 -""-^software container-^^ is used to protectively encapsulate a 
digital work and corresponding usage right information. 
Furthermore, an encrypted key block is stored on the disc, which 
provides one or more cryptographic keys for use in decrypting the 
digital work. The decryption keys for decrypting the key block are 

15 also stored on the record carrier in the form of a hidden 

information, stored in a location which can be physically enabled 
by a corresponding firmware or jumper of the disc drive, such that 
it maybe accessible for disc players but not for personal 
computers. Thus, any attempt to physically copy the disc by a 

20 personal computer would result in a failure to copy the hidden 
keys . 

[0012] However, even this cryptographic protection method may 
not prevent a successful -"-;;.copy and restore attack-^^, since a 
potential hacker restores the detected and copied usage right data 
25 back to their original location on the same disc. Then, the hacker 
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may play again the track for which the usage rights have been 
exercised, without paying again. It is noticed that the hacker does 
not have to read or write the hidden keys to circumvent the 
protection mechanism. Thus, the -"-_^copy and restore attack-"-^ is 
5 useful for rights that are consumed, such as a right to play once, 
a right to make a limited number of copies (where a copy counter on 
the disk is incremented after each copy) , or a right to move a 
track from one disc to another (where the track on the original 
disc is deleted) . 

10 

SUMMARY OF THE INVENTION 
[0013] It is therefore an object of the present invention to 
provide a method and device for controlling distribution and use of 
a digital work based on an attached usage right information, and a 
15 corresponding record carrier, by means of which a circumvention of 
the usage rights by a "copy and restore attack" can be prevented. 
[0014] This object is achieved by a method for controlling 
distribution and use of a digital work, comprisincr the steps of; 

a] attaching a usage right information to said digital work, 

20 said usage write information defining one or more conditions which 

must be satisfied in order for said usage right to be exercised; 

b) storing said digital work and its attached usage right 

information on a record carrier; 

cj updating said attached usage right information with every 

25 use of said digital work; and 
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dj refusing the use of said digital work if said usage right 

information indicates that the usage right has been exercised; 
characterized in that 

e} a hidden information stored in a hidden channel and used 

5 for encrypting or verifying said usage right information is changed 
when said usage right information has changed. as defined in claim 

[0015] This object is further achieved by a record carrier-ae 

defined in claim 11 for storing a digital work and a usage right 

10 information defining one or more conditions which must be satisfied 
in order for the usage right to be exercised, characterized in that 
said recording carrier comprises a hidden channel which is not 
accessible by a commercial reproducing devices and in which a 
hidden information is stored which is used for encrypting or 

15 verifying said usage right information and which is changed when 
said usage right information has changed.- — aad 

[0016] In addition, this object is achieved by a device for 

controlling distribution and use of a digital work, comprising: 
aj writing means for writing said digital work and an 

20 attached usage right information defining one or more conditions 
which must be satisfied in order for the usage right to be 
exercised, on a record carrier; 

bj updating means for updating said attached usage right 

information with every use of said digital work; and 
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cj control means for refusing the use of said digital work 

if said updated usage ricrht information indicates that the usage 
right has been exercised 
characterized in that 

5 dj said updating means is arranged to change a hidden 

information stored in a hidden channel and used for encrypting or 
verifying said usage right information, when said usage right 
information has changed. ao defined in claim 13 , 

[0017] Accordingly, the usage right information is re-written 
10 and a new hidden inf ormation^, used for encrypting or verifying the 
usage right information^ is stored, when the usage right 
information has changed. Thus, a simple restoring operation of the 
usage right information in the course of a "copy and restore 
attack" merely restores the previous usage right information but 
15 does not restore the previous hidden information. However, due to 
the fact that the changed hidden information no longer fits or 
corresponds to the previous or original usage right information, a 
decryption or a verification of the usage right information is no 
longer possible, such that the protection system of the disc player 
20 will rcGogniQC recognize the attempt of fraud. A "copy and restore 
attack" of the hidden channel will not work, since non-compliant 
devices are not capable of reading or writing on the hidden 
channel . 

[0018] According to an advantageous development, the hidden 
25 information may be a checksum over a data block containing the 
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usage right information. In this case, the usage right information 
does not have to be encrypted on the record carrier. Any 
manipulation of the content of the usage right information can be 
prevented by calculating the checksum and storing this checksum in 
5 the hidden channel. A "copy and restore" attack does not work, 

since the hidden checksumj_ which has been changed with the update 
of the usage right information^ will no longer be valid for the 
restored original usage right information. 

[0019] Alternatively, according to another advantageous 
10 development, the hidden information may be a key used for a 

decrypting the usage right information, wherein the key is randomly 
changed and the usage right information is re -encrypted by using 
the changed key, when the usage right information has changed. The 
restoring of the old version of the usage right information will 
15 not work, since the changed key cannot be used for decrypting the 
original usage right information. 

[0020] Preferably, the previous key is destroyed after the 
change of the key. Thereby, the key used for encrypting the 
original usage right information can no longer be retrieved and a 
20 potential hacker cannot decrypt the original usage right 
information. 

[0021] Preferably, the hidden channel may be generated by: 

[0022] storing the hidden information in deliberate errors which 

can be corrected again; 
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[0023] storing the hidden information in merging bits of a 

runlength- limited code; 

[0024] controlling a polarity of a predetermined runlength of a 

predetermined word of a runlength- limited code, according to the 
5 hidden information; 

[0025] storing the hidden information in deliberate errors in a 

time -base; or 

[0026] storing the hidden information in a memory embedded with 
a disc controller. 

10 [0027] Thereby, a hidden channel can be provided which cannot be 

read or written by existing or conventional disc drives. Even by a 
firmware update, they may not be able to read or write the hidden 
channel. In particular, a modification of the respective integrated 
circuits is required for copying or reading the hidden channel. 

15 This, however, is expensive and requires corresponding expert 
knowledge. The known lead-in areas of record carriers are not 
sufficient to provide such a hidden channel, since the conventional 
disc drives may give access to these areas by simple firmware 
hacking operation. 

20 [0028] According to a further advantageous modification, the 

attached usage right information may be stored in a table together 
with a key information used for decrypting the digital work. Thus, 
the key information required for decrypting the digital work can no 
longer be decrypted after a "copy and restore attack" . The digital 
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work may be an audio track dovmloaded from the Internet to a 
recordable optical disc. 

[0029] Preferably, the usage right information comprises a 
counter information which can be updated when the usage right has 
5 been exercised. Thus, the change of the counter information leads 
to a re-writing and re-encrypting operation with a new hidden key, 
such that a detection and restoring of the updated counter values 
is useless due to the changed hidden decryption key. 

[0030] According to a further advantageous modification, each 
10 track of the recording medium may comprise its en ^own usage right 
information and hidden information. In this case, a hidden key is 
provided for each track of the record carrier, as long as the 
hidden channel provides enough capacity. 

15 BRIEF DESCRIPTION OF THE DRAWINGS 

[0031] In the following, the present invention will be described 
in greater detail based on a preferred embodiment with reference to 
the accompanying drawings, ei — in which; 

[0032] Fig. 1 shows a modification of a key-locker table and a 
20 hidden key after a copy operation, according to the preferred 
embodiment of the present invention-rj_ 

[0033] Fig. 2 shows a basic block diagram of a driving device 
for driving a record carrier according to the preferred embodiment 
of the present invention-; — ; and 
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[0034] Fig. 3 shows a basic flow diagram of a secure update of a 
usage right information, according to the preferred embodiment of 
the present invention. 

5 DESCRIPTION OF THE PREFERRED EMBODIMENT 

[0035] The preferred embodiment will now be described on the 
basis of an EMD from the Internet onto a record carrierj_ such as a 
recordable optical disc, where a music track is purchased, 
downloaded and stored on the record carrier. 

10 [0036] Nevertheless, in the present application, the term 
"digital work", refers to any work that has been reduced to a 
digital representation. This includes any audio, video, text or 
multimedia work and any accompanying interpreter (e.— g.j_ software) 
that may be required for recreating the work. The term "usage 

15 rights" refers to any rights granted to a recipient of a digital 

work. Generally, these rights define how a digital work can be used 
and if it can be further distributed. Each usage right may have one 
or more specified conditions which must be satisfied for the right 
to be exercised. The usage rights are permanently "attached" to the 

20 digital work. Copies made of a digital work will also have usage 
rights attached. Thus, the usage rights and any associated fees 
assigned by a creator and subsequent distributer will always remain 
with a digital work. 

[0037] According to the preferred embodiment, all secrets, e. 
25 g.j_ usage rights, keys, counters, an own identification of the disc 
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or any information which is to be stored in a tamper- free way, are 
stored together in a table which is called a key-locker table KLT. 
The key-locker table KLT is encrypted e.—g.j_ by a DES algorithmj_ 
and stored on the disc in any convenient location. The key used for 
5 encrypting the key-locker KLT is called the key-locker key KLK. 
This key KLK is stored on the disk in a special hidden channel or 
secure side channel which cannot be read or written by existing or 
conventional disc drives. In particular, the hidden channel must be 
arranged such that a firmware update of existing disc drives is not 
10 sufficient to enable a reading or writing operation of the hidden 
channel . 

[0038] The hidden channel must be hidden very deeply in the 
physical characteristics of the recorded data stream, record 
carrier or disc drive, such that a change of the integrated 
15 circuits is required to read or write to the hidden channel with 
existing disc drives. Some possibilities for implementing such a 
hidden channel are: 

(i) storing the hidden information (key) in deliberate errors 

of the data stream, which can be corrected again; 
20 (ii) storing the hidden information in merging bits of a 

runlength- limited code sequence; 

(iii) storing the hidden information by controlling the 

polarity of a predetermined runlength of a predetermined data or 
control symbol of a runlength- limited code sequence, according to 
25 the hidden information; or 
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(iv) storing the hidden information in deliberate errors in 

the time-base of the data stream. 

[0039] However, any other hidden channel suitable to prevent a 
reading or writing of the hidden information with existing disc 
5 drives can be implemented, 

[00403 The key-locker table KLT is re-written each time its 
content is changed, e.— g.j_ when the usage right is consumed. Then, 
a new random key-locker key KLK is used each time the key- locker 
table KLT is re-written. 

10 [0041] Fig. 1 shows a purchased version of the key-locker table 
KLT written on a recordable optical disc, which is encrypted by a 
first key- locker key KLK-1 stored in a hidden channel of the 
optical disc, e.— g.j_ as indicated above. In the example shown in 
Fig. 1, the user has purchased a right to make three copies of 

15 track No. 2. In the key-locker table KLT shown in Fig. 1, only the 
content relevant to track No. 2 is shown, wherein the table 
comprises an identifier portion and a data portion and wherein the 
identifier portion includes an information used for identifying the 
respective data in the data portion. In particular, a key 

20 (indicated in hexa decimal notation) is followed by a track No. 2 
usage right for track No. 2 (indicated in binary notation) and by a 
counter value of track No. 2, which is set to " 3 " , i.e., in line 
with the purchased usage right. 

[0042] After the copy operation of track No. 2, a new key- 
25 locker-key KLK-2 is randomly selected by the disc drive, used for 
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re-encrypting the updated key- locker table KLT, and stored in the 
hidden channel. Thus, as indicated in the lower part of Fig. 1, 
after the first copy of track two, the key-locker table KLT has 
been re -encrypted by the new key- locker key KLK-2 and updated by 
5 decreasing the counter value in the key- locker table KLT to "2". 
[0043] Accordingly, an extraction and intermediate storage of 
the original or purchased key-locker table KLT, followed by a re- 
storing after the first copy operation is useless, since the new 
key- locker key KLK-2 is now stored in the hidden channel and a 
10 decryption of the key- locker table KLT would now no longer be 
possible by the disc drive. Accordingly, any "copy and restore 
attack" is readily detected by the disc drive or at least leads to 
an error. 

[0044] Fig. 2 shows a basic block diagram of a disc drive 
15 according to the preferred embodiment of the present invention, 
which is arranged to generate and write a key-locker table KLT 
together with a digital work DW (i.— e.j^ a music track or the like) 
on a recordable disc 10 based on usage right acquired together with 
a purchase from the Internet. In particular, an EMD application,^ 
20 which may run on a computer system to provide a corresponding 
download function^, stores the purchased scrambled digital work 
together with the key required for descrambling the digital work, 
and a description of the usage rights in a memory 23 of the disc 
drive. As an alternative, the purchased pieces of information may 
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be Stored in a memory of the computer system from which they are 
read by a drive controller 21 of the disc drive. 
[0045] The drive controller 21 reads the purchased pieces of 
information from the memory 23 and supplies the key and the usage 
5 rights to a key-locker update and encryption unit 22 which is 
arranged to generate a corresponding key- locker table KLT and to 
randomly select a key- locker key KLK used for encrypting the key- 
locker table KLT. The drive controller 21 receives the generated 
key- locker table KLT and key- locker key KLK and controls a reading 

10 and writing (RW) unit 20 so as to write the purchased digital work 
DW (i.— e.j_ music track) and the key-locker table KLT at 
predetermined positions on the recordable disc 10. Furthermore, the 
drive controller 21 controls the RW unit 20 so as to store the key- 
locker key KLK in a hidden channel of the recordable disc 10, which 

15 is not accessible by conventional disc drives or disc players. With 
every change of the purchased usage right due to a consumption (i. 
e.^ copy or play operation), the drive controller 21 supplies a 
corresponding control signal to the key- locker update and 
encryption unit 22 which updates the key- locker table KLT 

20 correspondingly, generates a new randomly selected key- locker key 
KLK, and encrypts the key-locker table KLT using the new key- locker 
key KLT. The drive controller 21 receives the updated and scrambled 
key- locker table KLT and the new key- locker key KLK and controls 
the RW unit 20 so as to write the re- scrambled key- locker table KLT 

25 onto the recordable disc 10 and the new key- locker key KLK in the 
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hidden channel. This updating and re-encryption by using a new key- 
locker key KLK is thus performed after each change inside the key- 
locker table KLT. 

[0046] If the updated key- locker table KLT indicates that the 
5 usage rights have been exercised or consumed, the disk controller 
21 refuses the use of the respective digital work, e,— g.j_ by 
transmitting a corresponding error message or control signal to the 
EMD application, 

[0047] It is to be noted that the key- locker update and 
10 encryption unit 22 may be implemented as a software routine of the 
drive controller 21. 

[0048] Fig. 3 shows a basic flow diagram of the above procedure 
for a secure update of the usage rights. According to Fig. 3j_ a new 
random key-locker key KLK-2 is generated in step SlOO after the 

15 recordable disc has been loaded into the disc drive and a 

corresponding usage operation of the digital work has been started. 
Then, the content of the key- locker table KLT is updated and 
encrypted with the new key- locker key KLK-2 by the key- locker 
update and encryption unit 22 (step SlOl) . Thereafter, the new key- 

20 locker-key KLK-2 is written by the RW unit 20 in the hidden channel 
HC of the recordable disc 10 (step S102) . This step may be followed 
by the optional steps of verifying that the new key-locker key KLK- 
2 and the re-encrypted key-locker table KLT have been written 
correctly on the recordable disc 10. Finally, the previous key- 

25 locker key KLK-1 may be destroyed by the RW unit 20 (step SI 03) . 
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[0049] According to an alternative modification of the preferred 
embodiment, the key-locker update and encryption unit 22 may be 
replaced by a key locker update and verification unit arranged to 
calculate a checksum over the content of the key- locker table KLT 
5 and to store this checksum in the hidden channel HC (instead of the 
key- locker key KLK) . In this case, the key-locker table KLT even 
does not need to be encrypted. Any manipulation of the content of 
the key- locker table KLT can be verified by the key- locker update 
and verification unit by a checking operation using the hidden 

10 checksum. Any change of the key- locker table KLT resulting from a 
consumption or exercise of the purchased usage rights leads to a 
changed checksum which is written in the hidden channel HC. Thus, 
the "copy and restore attack" will lead to a mismatch between the 
actual checksum of the restored key- locker table KLT and the hidden 

15 check sum. This mismatch will be detected by the key- locker update 
and verification unit, such that an error processing or protection 
mechanism may be started. 

[0050] Thus, the present invention provides the advantage that a 
"copy and restore attack" leads to a mismatch between the hidden 
20 key- locker key KLK or the alternative hidden checksum and the 
restored key-locker table KLT. This mismatch either prevents a 
descrambling of the key- locker table KLT or leads to an error in 
the verification processing. Thus, the fraud attack can be detected 
at the disc drive. 
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[0051] In another embodiment, the hidden channel comprises 
random data which is used for calculating a checksum over the 
content of the key- locker table KLT and which checksum is stored in 
the user data, therefore freely accessible, both for compliant and 
5 non-compliant devices. If it is ascertained that the content of the 
hidden channel can not be deterministically changed by a non- 
compliant device, the content of the hidden channel may be freely 
accessible A compliant device can calculate the checksum by reading 
the random data in the hidden channel an check whether the 
10 calculated checksum corresponds to checksum present in the user 

data. A calculated checksum which differs from the checksiim present 
in the user data indicates that the content of the hidden channel 
might be tampered with. 

[0052] It is noted that the present invention is not restricted 
15 to the above embodiments, but can be applied to any recording or 
writing applications which should be protected against "copy and 
restore attacks". The EMD may be performed by a free distribution 
of the scrambled digital work DW on a pressed disc or via a 
broadcast channel. The key however, is then not distributed 
20 together with the content of the digital work. It can be purchased 
via the Internet. In such a case, a download of the compressed 
digital work is not necessary, only the keys have to be downloaded. 
Thereby, the network load and transmission costs can be decreased. 
[0053] Furthermore, the key- locker table KLT may be arranged as 
25 one key-locker table per track. In this case, enough capacity of 
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the hidden channel is required to store a random key-locker key KLK 
for each key- locker table KLT. The key- locker table KLT could be 
split into a plurality of key-locker tables if its size becomes too 
big to perform a re- writing operation at each transaction. Then, 
5 each key- locker table KLT will have its own random key- locker key 
KLK stored in the hidden channel. 

[0054] The present invention may as well be applied to protect 
hard discs against "copy and restore attacks". In this case, the 
hidden channel could be arranged as a memory embedded within the 
10 HDD controller. A similar application is possible for flash memory 
cards or the like. Generally, the present invention can be applied 
to protect any further recording medium, e.g.j_ magneto-optic 
recording medium (minidisc) or magnetic tape. 
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ABSTRACT- ^ OF THE DISCLOSURE 

The prcoont invention rolatoo to aA method and device for 
controlling distribution and use of a digital work otorcd , stores 
5 the digital work together with an attached usage right information 
on a record carrier. The attached usage right information is 
encrypted or verified by using a hidden information which is 
changed at every change of said usage right information. The hidden 
information may be an encryption key used for encrypting the usage 
10 right information, or a checksum of a data block containing the 
usage right information. Thus, a "copy and restore attack" is not 
successful, since it will lead to a mismatch between the hidden 
information and the restored usage right information. 

15 Fig. 1 
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